Author: rjung Date: Fri Oct 12 09:51:42 2018 New Revision: 1843636 URL: http://svn.apache.org/viewvc?rev=1843636&view=rev Log: Tab polica. No functional change.
Modified: tomcat/native/trunk/native/src/sslnetwork.c Modified: tomcat/native/trunk/native/src/sslnetwork.c URL: http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslnetwork.c?rev=1843636&r1=1843635&r2=1843636&view=diff ============================================================================== --- tomcat/native/trunk/native/src/sslnetwork.c (original) +++ tomcat/native/trunk/native/src/sslnetwork.c Fri Oct 12 09:51:42 2018 @@ -631,121 +631,121 @@ TCN_IMPLEMENT_CALL(jint, SSLSocket, rene TCN_ASSERT(sock != 0); con = (tcn_ssl_conn_t *)s->opaque; session = SSL_get_session(con->ssl); - apr_socket_timeout_get(con->sock, &timeout); + apr_socket_timeout_get(con->sock, &timeout); #if defined(SSL_OP_NO_TLSv1_3) if (SSL_SESSION_get_protocol_version(session) == TLS1_3_VERSION) { - // TLS 1.3 renegotiation - retVal = SSL_verify_client_post_handshake(con->ssl); - if (retVal <= 0) { - return APR_EGENERAL; - } - - con->pha_state = PHA_STARTED; - - // Need to trigger a write operation to sent the cert request to the - // client. As per OpenSSL docs, use SSL_do_handshake() for this. - retVal = SSL_do_handshake(con->ssl); - if (retVal <= 0) { - return APR_EGENERAL; - } - - // Trigger reading of the certs from the client - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } - - // If the certs have not been received, then need to wait for I/O - while (con->pha_state == PHA_STARTED) { - // SSL_ERROR_WANT_READ is expected. Anything else is an error. - if (error == SSL_ERROR_WANT_READ) { - retVal = wait_for_io_or_timeout(con, error, timeout); - /* - * Since this is blocking I/O, anything other than APR_SUCCESS is an - * error. - */ - if (retVal != APR_SUCCESS) { - con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; - return retVal; - } - } else { - return APR_EGENERAL; - } - - // Re-try SSL_peek after I/O - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } else { - /* - * Reset error to handle case where SSL_Peek returns 0 but - * con->pha_state has not changed. This will trigger an error - * to be returned. - */ - error = 0; - } - } + // TLS 1.3 renegotiation + retVal = SSL_verify_client_post_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + con->pha_state = PHA_STARTED; + + // Need to trigger a write operation to sent the cert request to the + // client. As per OpenSSL docs, use SSL_do_handshake() for this. + retVal = SSL_do_handshake(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + // Trigger reading of the certs from the client + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } + + // If the certs have not been received, then need to wait for I/O + while (con->pha_state == PHA_STARTED) { + // SSL_ERROR_WANT_READ is expected. Anything else is an error. + if (error == SSL_ERROR_WANT_READ) { + retVal = wait_for_io_or_timeout(con, error, timeout); + /* + * Since this is blocking I/O, anything other than APR_SUCCESS is an + * error. + */ + if (retVal != APR_SUCCESS) { + con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; + return retVal; + } + } else { + return APR_EGENERAL; + } + + // Re-try SSL_peek after I/O + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } else { + /* + * Reset error to handle case where SSL_Peek returns 0 but + * con->pha_state has not changed. This will trigger an error + * to be returned. + */ + error = 0; + } + } } else { #endif - // TLS 1.2 and earlier renegotiation + // TLS 1.2 and earlier renegotiation - /* Toggle the renegotiation state to allow the new - * handshake to proceed. - */ - con->reneg_state = RENEG_ALLOW; - - // Schedule a renegotiation request - retVal = SSL_renegotiate(con->ssl); - if (retVal <= 0) { - return APR_EGENERAL; - } - - /* Need to trigger the renegotiation handshake by reading. - * Peeking 0 bytes actually works. - * See: http://marc.info/?t=145493359200002&r=1&w=2 - * - * This will normally return SSL_ERROR_WANT_READ whether the renegotiation - * has been completed or not. Afterwards, need to determine if I/O needs to - * be triggered or not. - */ - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } - - // If the renegotiation is still pending, then I/O needs to be triggered - while (SSL_renegotiate_pending(con->ssl)) { - // SSL_ERROR_WANT_READ is expected. Anything else is an error. - if (error == SSL_ERROR_WANT_READ) { - retVal = wait_for_io_or_timeout(con, error, timeout); - /* - * Since this is blocking I/O, anything other than APR_SUCCESS is an - * error. - */ - if (retVal != APR_SUCCESS) { - con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; - return retVal; - } - } else { - return APR_EGENERAL; - } - - // Re-try SSL_peek after I/O - retVal = SSL_peek(con->ssl, peekbuf, 0); - if (retVal < 1) { - error = SSL_get_error(con->ssl, retVal); - } else { - /* - * Reset error to handle case where SSL_Peek returns 0 but - * SSL_renegotiate_pending returns true. This will trigger an error - * to be returned. - */ - error = 0; - } - } + /* Toggle the renegotiation state to allow the new + * handshake to proceed. + */ + con->reneg_state = RENEG_ALLOW; + + // Schedule a renegotiation request + retVal = SSL_renegotiate(con->ssl); + if (retVal <= 0) { + return APR_EGENERAL; + } + + /* Need to trigger the renegotiation handshake by reading. + * Peeking 0 bytes actually works. + * See: http://marc.info/?t=145493359200002&r=1&w=2 + * + * This will normally return SSL_ERROR_WANT_READ whether the renegotiation + * has been completed or not. Afterwards, need to determine if I/O needs to + * be triggered or not. + */ + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } + + // If the renegotiation is still pending, then I/O needs to be triggered + while (SSL_renegotiate_pending(con->ssl)) { + // SSL_ERROR_WANT_READ is expected. Anything else is an error. + if (error == SSL_ERROR_WANT_READ) { + retVal = wait_for_io_or_timeout(con, error, timeout); + /* + * Since this is blocking I/O, anything other than APR_SUCCESS is an + * error. + */ + if (retVal != APR_SUCCESS) { + con->shutdown_type = SSL_SHUTDOWN_TYPE_UNCLEAN; + return retVal; + } + } else { + return APR_EGENERAL; + } + + // Re-try SSL_peek after I/O + retVal = SSL_peek(con->ssl, peekbuf, 0); + if (retVal < 1) { + error = SSL_get_error(con->ssl, retVal); + } else { + /* + * Reset error to handle case where SSL_Peek returns 0 but + * SSL_renegotiate_pending returns true. This will trigger an error + * to be returned. + */ + error = 0; + } + } - con->reneg_state = RENEG_REJECT; + con->reneg_state = RENEG_REJECT; #if defined(SSL_OP_NO_TLSv1_3) } #endif --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org